/tmp suddenly full - possible DOS hack?

[Kenton Brede]

On Mon, Oct 13, 2003 at 10:59:51PM -0400, Barry Hawkins wrote:
> List,
> 	I have a single FreeBSD server (5.1) that I run at home behind a 
> firewall with ports open for ssh, dns, and http.  I began having 
> trouble with my DNS not responding, then noticed that ssh was not 
> responding either.  Upon logging in at the server, I noticed error 
> messages about my /tmp filesystem being full.  Issuing df revealed the 
> following:
> 
> Filesystem  1K-blocks    Used   Avail Capacity  Mounted on
> /dev/ad0s1a    253678   72770  160614    31%    /
> devfs               1       1       0   100%    /dev
> /dev/ad0s1e    253678     542  232842     0%    /tmp
> /dev/ad0s1f   8209710 3440818 4112116    46%    /usr
> /dev/ad0s1d    253678  253106  -19722   108%    /var
> 
> 	Upon further investigation, I noticed a series of grossly bloated 
> messages logs:
> 
> -rw-r--r--   1 root  wheel        43001 Oct 13 22:37 messages
> -rw-r--r--   1 root  wheel    196001815 Oct 13 17:00 messages.0
> -rw-r--r--   1 root  wheel        87398 Oct 13 16:00 messages.1.bz2
> -rw-r--r--   1 root  wheel        87096 Oct 13 15:00 messages.2.bz2
> -rw-r--r--   1 root  wheel       109446 Oct 13 14:00 messages.3.bz2
> -rw-r--r--   1 root  wheel       184596 Oct 13 13:00 messages.4.bz2
> -rw-r--r--   1 root  wheel        36822 Oct 13 12:00 messages.5.bz2
> 
> 	This is the first BSD box that I have had that allows DNS queries, 
> 	and this is the first time I have experienced something like this.  Is it 
> some sort of DOS attack?  I am sure there are a hundred variables that 
> I am unaware of, but if some of the list sages could be so kind as to 
> prod me in the right direction(s) I would be most appreciative.
> 

Have you looked in the "messages" log files?  What entries do they
contain?  That could give you a clue.
Kent

-- 
"I am always doing that which I can not do, 
   in order that I may learn how to do it." --Pablo Picasso